Federal Government changes to the mandatory data breach notification system

by

After receiving industry feedback during a consultation period the Federal Government introduced into Parliament on 19 October 2016 the Privacy Amendment (Notifiable Data Breaches) Bill 2016 which is aimed at enforcing mandatory obligations on Australian companies to notify the Office of the Australian Information Commissioner, as well as affected individuals, for any “eligible data breach” that may occur regarding information that the company has on the individual within 30 days after becoming aware of the breach. Information here includes personal information, credit reporting and eligibility information, and tax file number information, where such information is required to be kept securely under the Privacy Act 1988 (Cth).

The standard to follow is whether the company has reasonable grounds to believe that there has been an eligible data breach, which is defined as unauthorised access to or disclosure of relevant information that a reasonable person would conclude that access or disclosure would be likely to result (being more probable than not ) in serious harm to individuals that the information relates to , or where the relevant information is lost in circumstances where unauthorised access to or unauthorised disclosure of this information might occur, and if it did, a reasonable person would conclude that it would be likely to result in serious harm to any of the individuals to whom the information relates to . This has raised the bar from the 2015 proposed bill, although it appears that notification to the Privacy Commissioner is not appropriate for minor breaches . If the entity is merely suspicious it must now also carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances do amount to an “eligible data breach” .

If the breach meets the above standard, the company will then be required, as soon as practicable after becoming aware of such a breach, (1) prepare a statement on numerous matters, (2) provide a copy of the notice to the Privacy Commissioner, and (3) if practicable provide a copy to each individual who is at risk from the breach or to each individual that the compromised information relates to, or if neither of these steps are practicable, publish a copy of the statement on the company’s website and take reasonable steps to publicise the content of this statement. The notification must include the identity and contact details of the company, a description of the serious data breach, the kinds of information concerned, and recommendation about the steps that individuals should take in response to the serious data breach .

What does this mean for your business? If you take action in relation to the unauthorised access, disclosure or loss occurs in before any serious harm arises, and as a result of this a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of the affected individuals, then the access, disclosure or loss will be deemed to never have been an eligible data breach. The call by the Federal Government is for business to take proactive action within a timely period, and with a failure to comply repeatedly or serious interferences occurring giving rise of a civil penalty of up to A$1.8 million for a company, business should not be taking these concerns lightly.

This is why Cyber + Privacy Risk Insurance comes into play to protect you against claims. There are three key elements to consider in deciding to take this policy. Firstly, the policy can provide coverage for third party claims against you from a failure to keep data secure, and this includes claims for compensation, payment of any fines and penalties, and any defence and legal representation costs and expenses if this is required. Secondly the policy can provide coverage coverage for business interruption costs, including necessary expenses to maintain the operation of the business as a result of an interruption, and reimbursement for lost profits. Thirdly the policy can provide coverage for remediation costs including the insured’s own costs of credit monitoring, forensic investigations, data restoration, and cyber extortions.

The best form of protection you can provide for your business is a standalone Cyber Liability & Privacy Protection Insurance Policy. A Cyber Risks Extension on some policies will not provide the full cover for peace of mind, typically have as it is limited to claims for compensation and costs to restore or repair systems from a hack attack and ransom payments to a hacker. The extension typically provides a lower Limit of Liability for coverage, with usually no cover for Business Interruption, and limited in its jurisdiction to Australia and New Zealand coverage.

The best form of protection you can provide for your business is a standalone Cyber Liability & Privacy Protection Insurance Policy. A Cyber Risks Extension on some policies will not provide the full cover for peace of mind, and typically have limited coverage.

Call ii-A today on 1300 00 2481 to organise comprehensive cover for your business.